Today’s Cybersecurity Threats and Trends - 09/20/2024

Dark clouds gather overhead as the Noise Storm builds.

Author

J.W. Croley
September 20, 2024

In partnership with

Before we dive in, I would like to thank all of you for supporting us with your subscription! I aim to bring both actionable insights and information regarding cybersecurity threats to non-tech and technical professionals alike. If this sounds like something that would help someone you know, please share the newsletter!

Finally, I would like to thank Oneleet for sponsoring today's newsletter!

Please check them out! It goes a long way in our quest to get everyone interested in cybersecurity.
(You don’t have to buy anything or fill anything out to support us, just click the banner below!)

Want SOC 2 compliance without the Security Theater?

  • Get the all-in-one platform for SOC 2

  • Build real-world security 💪

  • Penetration testing, compliance software, 3rd party audit, & vCISO

1. Iranian APT’s Infiltration Intensifies

Primary Threat: UNC1860, an Iranian state-sponsored APT group, has been linked to the Ministry of Intelligence and Security (MOIS). This group has been using highly customized tools and backdoors to infiltrate and maintain long-term access to high-profile networks in the Middle East, particularly in the government and telecommunications sectors. Mandiant's research highlights that UNC1860 acts as an initial access facilitator, providing access for other Iranian threat actors. Its arsenal includes web shells like STAYSHANTE, backdoors such as BASEWALK, and utilities like TEMPLEDOOR, giving it the ability to perform extensive espionage operations.

  • MITRE Tactics: Initial Access, Persistence, Lateral Movement

  • Risk: High – UNC1860’s advanced tooling and persistence make it a formidable threat to critical infrastructure in the region.

2. Critical Flaw Forces Ivanti Fix

Primary Threat: Ivanti has patched a critical vulnerability (CVE-2024-8963) affecting its Cloud Services Appliance (CSA) product. This flaw could allow attackers to remotely exploit affected systems, potentially leading to unauthorized access and data breaches. The vulnerability has a high severity rating, and Ivanti has issued an urgent security advisory, urging all affected users to apply the patch immediately to mitigate the risk.

  • MITRE Tactics: Execution, Privilege Escalation

  • Risk: Critical – This vulnerability could be exploited by remote attackers, posing a significant risk to organizations using Ivanti's Cloud Services Appliance.

Unlock your potential with our partner…

Whether you're a beginner or an expert, Hack The Box provides a dynamic and engaging environment to test your hacking mettle. Join me and thousands of other professionals in this thriving community and take your cybersecurity expertise to the next level.

Start your journey today!

3. GitHub’s Growing Grief

Primary Threat: A new malware campaign is abusing GitHub repositories to spread malware disguised as legitimate code. The campaign involves scanning GitHub repos and injecting malicious payloads into software projects, leading to widespread malware infections. This attack aligns with other recent GitHub-related vulnerabilities, making it critical for developers to scrutinize third-party code. This campaign is part of broader issues around GitHub security, as reported earlier this month.

  • MITRE Tactics: Execution, Initial Access

  • Risk: High – Developers and users of open-source code may unknowingly pull malware into their projects, compromising security.

4. TeamTNT Takes Cloud by Storm

Primary Threat: The infamous TeamTNT group has launched a new cryptojacking campaign that deploys the Diamorphine rootkit to conceal malicious activities on compromised hosts. Group-IB’s research shows that this attack chain also involves gaining persistent remote access, making it difficult for defenders to detect and eliminate. TeamTNT's ongoing campaign emphasizes the continued threat of cryptojacking across cloud environments.

  • MITRE Tactics: Persistence, Defense Evasion

  • Risk: Medium – Cryptojacking may degrade system performance and increase operational costs for cloud service users.

5. Spoofed Signals Surge in the “Noise Storm”

Primary Threat: GreyNoise researchers have identified a massive influx of spoofed web traffic, dubbed “Noise Storm,” with strong links to China. This traffic, which appears as legitimate web activity, is being used to conceal malicious operations and potentially deliver hidden commands within the noise. The activity is thought to be part of China's broader cyber operations, obscuring true attack vectors by flooding the internet with spoofed signals.

  • MITRE Tactics: Command and Control, Defense Evasion

  • Risk: High – The spoofed traffic could hide various attack techniques, complicating detection and response efforts.

IN SUMMARY:

This week’s cybersecurity developments span a range of threats, from state-sponsored espionage to critical vulnerabilities and clever malware campaigns.

Iranian APT UNC1860 continues to infiltrate key Middle Eastern networks, while TeamTNT’s cryptojacking campaigns target cloud infrastructures.

GitHub’s security is being exploited to distribute malware, and massive amounts of spoofed traffic linked to China obscure dangerous cyber activities.

Stay patched and vigilant to protect against these evolving threats.

Because… ‘its better to be paranoid than to be pwnd!’

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)